If your company is PCI compliant, you already know that June 30 is the deadline to upgrade your TLS.
TLS uses public key cryptography to encrypt all of your web traffic so your users data isn’t stolen.
However compliance is not the only reason you should upgrade your TLS. Here are five reasons other than compliance you should upgrade your TLS.
Early versions of TLS have known vulnerabilities
Another top risk from the OWASP Top 10 is depending on vulnerable components within your code.
A important piece of TLS is not just the encryption of the traffic but what you use to encrypt the traffic. TLS allows your to choose your cipher suite.
A common mistake system administrators make is to enable weak ciphers that will allow a downgrade attack such as POODLE to occur.
A POODLE attack occurs when an attacker forces your server to downgrade to version 3.0 of SSL. SSL version 3.0 is known to be weak against attack.
The attacker can then easily decrypt the traffic using brute force techniques without even knowing the key.
The BEAST attack occurs when an attacker delivers a malicious script to the user via another vulnerability, such as CSRF.
Then the attacker can guess the initialization vector of the encryption algorithm and use it to decrypt data.
These attacks can happen to you if you are still using SSL 3.0 or TLS 1.0. Upgrade your TLS or you will have major vulnerabilities in your applications.
You can use SSL Labs to find out if you are vulnerable to the BEAST attack.
But even worse than not upgrading TLS is not using it at all.
Without TLS your data is a sitting duck
Without TLS, the conversation between you and your customer will be in cleartext and readable by anybody.
For instance, if your customer is sitting at a coffee shop using free Wi-Fi, somebody else sitting at that coffee shop on the same Wi-Fi network will easily read and manipulate the traffic.
In fact, sensitive data exposure is one of the OWASP Top 10 risks for web applications.
This should tell you that many bad people are trying to find sensitive data and you shouldn’t leave it open by not using TLS.
Someone can impersonate you
A man in the middle attack happens when an attacker impersonates both sides of a conversation without either side knowing.
The attacker steals your data as it gets sent along and can manipulate the HTML pages as they come across the wire..
Either way, you don’t want someone pretending to be your company.
TLS ensures both confidentiality and integrity of the data.
If you’ve ever seen the above screen, you’ve seen TLS (and Chrome) protecting you from someone stealing your data.
It prepares you for HTTP/2
Protection is great, but not upgrading TLS may also leave you unable to take advantage of new technologies.
HTTP/2 is the newest protocol for transporting web applications across the Internet.
It’s much faster than older versions of HTTP and is now being supported by more and more browsers.
However, a key point to remember is that modern browsers will only support it if the traffic is over TLS 1.2 or higher.
Therefore if your website is already using TLS 1.2 or higher, you’re ready to start using HTTP/2.
This will give your customers a better overall experience and more security.
Your website is more trustworthy
Trust is a rare thing in today’s Internet world.
If your clients and customers don’t trust you, they will not do business with you.
Using the latest TLS protocol will help to build that trust. Your customers will see that beautiful green padlock in their browser. Although the padlock may be going away soon as well.
Either way, Google and other browser makers are trying to make security the default for all websites. HTTPS and TLS should be the norm. If you don’t use it, your customer’s browsers will warn them to stay away from you.
I think you want your customers to stay. Upgrading your TLS version is a small change in comparison.
Don’t Wait Until You Have To
PCI is telling you that you have to upgrade by June 30. However, updating simply based on compliance is never a good security strategy. Being compliant does not mean you are secure.
Upgrading to TLS 1.1 or 1.2 is the best way to protect your customers and your reputation.
Upgrading protects your data, which is the lifeblood of your organization.
What are you waiting for? Go upgrade your TLS version.
We’ll be here when you get back.